package configuration;

import io.confluent.kafka.test.utils.KafkaTestUtils;
import io.confluent.rbacapi.app.CCRbac;
import io.confluent.rbacapi.app.CCRbacConfig;
import io.confluent.rbacapi.box.CCRbacInABox;
import io.confluent.rbacapi.entities.AuthorizeRequest;
import io.confluent.rbacapi.retrofit.v2.V2RbacRestApi;
import io.confluent.rbacapi.retrofit.v2.V2RbacRetrofitFactory;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.ldap.client.ExampleComLdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import java.io.File;
import java.io.IOException;
import java.io.PrintStream;
import java.net.ConnectException;
import java.nio.file.Files;
import java.nio.file.StandardOpenOption;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import kafka.server.KafkaServer;
import org.apache.kafka.clients.admin.AdminClient;
import org.apache.kafka.clients.admin.NewTopic;
import org.apache.kafka.clients.admin.TopicDescription;
import org.apache.kafka.common.KafkaFuture;
import org.apache.kafka.common.network.ListenerName;
import org.awaitility.Awaitility;
import org.testng.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;
import parity.coop.V2CloudAuthorizeAuditTest;
import retrofit2.Response;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;
import utils.PostgresDbTestBed;

@Test
/* loaded from: input_file:configuration/CCRbacConfigTest.class */
public class CCRbacConfigTest {
    private static final String U_FLOW_SERVICE_ADMIN = "flowserviceadmin";
    private static final String U_BROKER_SUPER_USER = "mds";
    private PostgresDbTestBed postgresDbTestBed;
    RbacClusters auditLogCluster;
    private LdapServer ldapServer;
    private KafkaTestUtils.ClientBuilder clientBuilder;
    private int mdsPort = 8060;
    private int ldapPort = 3389;
    private int kafkaAuditLogPort = -1;
    private List<String> users = Arrays.asList("mds", "flowserviceadmin", "alice", "bob", "carol", "dave");

    @BeforeClass
    public void setup() throws Exception {
        this.postgresDbTestBed = new PostgresDbTestBed();
        this.postgresDbTestBed.setupDBAndForcePort5432();
        this.ldapPort = startLdap(this.ldapPort);
        new ExampleComLdapCrud(this.ldapPort).createUsers(this.users);
        this.kafkaAuditLogPort = startKafkaAuditLogCluster();
    }

    @AfterClass
    public void teardown() {
        this.postgresDbTestBed.teardownDb();
        this.auditLogCluster.shutdown();
    }

    private int startLdap(int i) {
        LdapServer.LdapServerConfig ldapServerConfig = new LdapServer.LdapServerConfig();
        ldapServerConfig.port = i;
        ldapServerConfig.ldifClasspathFile = "/wedgeNoUsers.ldif";
        this.ldapServer = new LdapServer(ldapServerConfig).start();
        return this.ldapServer.actualPort();
    }

    private int startKafkaAuditLogCluster() throws Exception {
        RbacClusters.Config noAuth = KafkaConfigTool.noAuth("mds");
        KafkaConfigTool.turnOnAuditLogs(noAuth);
        this.auditLogCluster = new RbacClusters(noAuth);
        int boundPort = ((KafkaServer) this.auditLogCluster.metadataCluster.brokers().get(0)).boundPort(new ListenerName("EXTERNAL"));
        this.clientBuilder = this.auditLogCluster.mdsClientBuilder("mds");
        AdminClient buildAdminClient = this.clientBuilder.buildAdminClient();
        try {
            ((TopicDescription) ((KafkaFuture) buildAdminClient.describeTopics(Collections.singleton("confluent-audit-log-events")).values().get("confluent-audit-log-events")).get()).name();
        } catch (RuntimeException e) {
            buildAdminClient.createTopics(Collections.singleton(new NewTopic("confluent-audit-log-events", 1, (short) 1))).all().get();
        }
        return boundPort;
    }

    private void runAndCheckCCRbac(CCRbacConfig cCRbacConfig, boolean z) throws IOException, InterruptedException {
        CCRbac cCRbac = new CCRbac();
        Thread thread = new Thread(() -> {
            try {
                cCRbac.run(cCRbacConfig);
            } catch (Exception e) {
                System.out.println("ccRbac.run exited");
                System.out.println(e);
            }
        });
        thread.start();
        V2RbacRestApi build = V2RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.mdsPort, "flowserviceadmin");
        Awaitility.given().ignoreException(ConnectException.class).await().atMost(10L, TimeUnit.SECONDS).until(() -> {
            return Boolean.valueOf(build.getRoleNames().execute().isSuccessful());
        });
        AuthorizeRequest authorizeRequest = new AuthorizeRequest("User:flowserviceadmin", Collections.singletonList(new Action(Scope.ROOT_SCOPE, new ResourceType("Topic"), "test-topic", new Operation("Describe"))));
        Awaitility.await().atMost(5L, TimeUnit.SECONDS).until(() -> {
            return Boolean.valueOf(cCRbac.embeddedAuthorizer != null);
        });
        if (z) {
            Awaitility.await().atMost(5L, TimeUnit.SECONDS).until(() -> {
                return Boolean.valueOf(cCRbac.embeddedAuthorizer.auditLogProvider().isEventLoggerReady());
            });
        } else {
            Thread.sleep(1000L);
        }
        Response execute = build.authorize("request-id-test", authorizeRequest).execute();
        Assert.assertTrue(execute.isSuccessful());
        Assert.assertEquals(execute.code(), 200);
        Assert.assertEquals(V2CloudAuthorizeAuditTest.getAuditLogRecord(this.clientBuilder.buildConsumer("test-group")) != null, z);
        cCRbac.close();
        try {
            System.out.println("Waiting for ccRbacThread");
            thread.join(5000L);
        } catch (InterruptedException e) {
        }
        if (thread.isAlive()) {
            System.out.println("Interrupting ccRbacThread");
            thread.interrupt();
        }
    }

    @Test
    public void testBasicAndLDAP() throws IOException, InterruptedException {
        Properties properties = new Properties();
        properties.put("confluent.security.event.logger.enable", "true");
        properties.put("confluent.security.event.logger.cloudevent.codec", "binary");
        properties.put("confluent.security.event.router.config", "{\"destinations\":{\"bootstrap_servers\":[\"localhost:" + this.kafkaAuditLogPort + "\"],\"topics\":{\"confluent-audit-log-events\":{\"retention_ms\":604800000}}},\"default_topics\":{\"allowed\":\"confluent-audit-log-events\",\"denied\":\"confluent-audit-log-events\"},\"excluded_principals\":[]}");
        properties.put("confluent.security.event.logger.exporter.kafka.security.protocol", "SASL_PLAINTEXT");
        properties.put("confluent.security.event.logger.exporter.kafka.sasl.mechanism", "SCRAM-SHA-256");
        properties.put("confluent.security.event.logger.exporter.kafka.sasl.jaas.config", "org.apache.kafka.common.security.scram.ScramLoginModule required     username=\"mds\"    password=\"mds-secret\";");
        properties.put("confluent.metadata.server.db.url", this.postgresDbTestBed.getDbUrl());
        properties.put("confluent.metadata.server.db.username", "cc_rbac_api");
        properties.put("confluent.metadata.server.db.password", "cc_rbac_api");
        properties.put("listeners", "http://0.0.0.0:" + this.mdsPort);
        properties.put("authentication.method", "BASIC");
        properties.put("user.store", "LDAP");
        properties.put("ldap.java.naming.provider.url", "ldap://localhost:" + this.ldapPort + "/dc=example,dc=com");
        properties.put("ldap.refresh.interval.ms", "50");
        properties.put("ldap.java.naming.security.principal", "uid=admin,ou=system");
        properties.put("ldap.java.naming.security.credentials", "secret");
        properties.put("ldap.java.naming.security.authentication", "simple");
        properties.put("ldap.group.name.attribute", "cn");
        properties.put("ldap.group.member.attribute.pattern", "uid=(.*),ou=users,dc=example,dc=com");
        System.out.println(properties);
        runAndCheckCCRbac(new CCRbacConfig(properties), true);
    }

    @Test
    public void testBasicAndLDAPAndNoAudit() throws IOException, InterruptedException {
        Properties properties = new Properties();
        properties.put("confluent.security.event.logger.enable", "false");
        properties.put("confluent.security.event.logger.cloudevent.codec", "binary");
        properties.put("confluent.security.event.router.config", "{\"destinations\":{\"bootstrap_servers\":[\"localhost:" + this.kafkaAuditLogPort + "\"],\"topics\":{\"confluent-audit-log-events\":{\"retention_ms\":604800000}}},\"default_topics\":{\"allowed\":\"confluent-audit-log-events\",\"denied\":\"confluent-audit-log-events\"},\"excluded_principals\":[]}");
        properties.put("confluent.security.event.logger.exporter.kafka.security.protocol", "SASL_PLAINTEXT");
        properties.put("confluent.security.event.logger.exporter.kafka.sasl.mechanism", "SCRAM-SHA-256");
        properties.put("confluent.security.event.logger.exporter.kafka.sasl.jaas.config", "org.apache.kafka.common.security.scram.ScramLoginModule required     username=\"mds\"    password=\"mds-secret\";");
        properties.put("confluent.metadata.server.db.url", this.postgresDbTestBed.getDbUrl());
        properties.put("confluent.metadata.server.db.username", "cc_rbac_api");
        properties.put("confluent.metadata.server.db.password", "cc_rbac_api");
        properties.put("listeners", "http://0.0.0.0:" + this.mdsPort);
        properties.put("authentication.method", "BASIC");
        properties.put("user.store", "LDAP");
        properties.put("ldap.java.naming.provider.url", "ldap://localhost:" + this.ldapPort + "/dc=example,dc=com");
        properties.put("ldap.refresh.interval.ms", "50");
        properties.put("ldap.java.naming.security.principal", "uid=admin,ou=system");
        properties.put("ldap.java.naming.security.credentials", "secret");
        properties.put("ldap.java.naming.security.authentication", "simple");
        properties.put("ldap.group.name.attribute", "cn");
        properties.put("ldap.group.member.attribute.pattern", "uid=(.*),ou=users,dc=example,dc=com");
        System.out.println(properties);
        runAndCheckCCRbac(new CCRbacConfig(properties), false);
    }

    @Test
    public void testBasicAndFile() throws IOException, InterruptedException {
        Properties properties = new Properties();
        properties.put("confluent.security.event.logger.enable", "true");
        properties.put("confluent.security.event.logger.cloudevent.codec", "binary");
        properties.put("confluent.security.event.router.config", "{\"destinations\":{\"bootstrap_servers\":[\"localhost:" + this.kafkaAuditLogPort + "\"],\"topics\":{\"confluent-audit-log-events\":{\"retention_ms\":604800000}}},\"default_topics\":{\"allowed\":\"confluent-audit-log-events\",\"denied\":\"confluent-audit-log-events\"},\"excluded_principals\":[]}");
        properties.put("confluent.security.event.logger.exporter.kafka.security.protocol", "SASL_PLAINTEXT");
        properties.put("confluent.security.event.logger.exporter.kafka.sasl.mechanism", "SCRAM-SHA-256");
        properties.put("confluent.security.event.logger.exporter.kafka.sasl.jaas.config", "org.apache.kafka.common.security.scram.ScramLoginModule required     username=\"mds\"    password=\"mds-secret\";");
        properties.put("confluent.metadata.server.db.url", this.postgresDbTestBed.getDbUrl());
        properties.put("confluent.metadata.server.db.username", "cc_rbac_api");
        properties.put("confluent.metadata.server.db.password", "cc_rbac_api");
        properties.put("listeners", "http://0.0.0.0:" + this.mdsPort);
        properties.put("authentication.method", "BASIC");
        properties.put("user.store", "FILE");
        properties.put("user.store.file.path", CCRbacInABox.createHashLoginPropFile(this.users).getPath());
        runAndCheckCCRbac(new CCRbacConfig(properties), true);
    }

    @Test
    public void testBearerAndLDAP() throws IOException, InterruptedException {
        KafkaConfigTool.TokenPemFiles createTokenPemFiles = KafkaConfigTool.createTokenPemFiles();
        Properties properties = new Properties();
        properties.put("confluent.security.event.logger.enable", "true");
        properties.put("confluent.security.event.logger.cloudevent.codec", "binary");
        properties.put("confluent.security.event.router.config", "{\"destinations\":{\"bootstrap_servers\":[\"localhost:" + this.kafkaAuditLogPort + "\"],\"topics\":{\"confluent-audit-log-events\":{\"retention_ms\":604800000}}},\"default_topics\":{\"allowed\":\"confluent-audit-log-events\",\"denied\":\"confluent-audit-log-events\"},\"excluded_principals\":[]}");
        properties.put("confluent.security.event.logger.exporter.kafka.security.protocol", "SASL_PLAINTEXT");
        properties.put("confluent.security.event.logger.exporter.kafka.sasl.mechanism", "SCRAM-SHA-256");
        properties.put("confluent.security.event.logger.exporter.kafka.sasl.jaas.config", "org.apache.kafka.common.security.scram.ScramLoginModule required     username=\"mds\"    password=\"mds-secret\";");
        properties.put("confluent.metadata.server.db.url", this.postgresDbTestBed.getDbUrl());
        properties.put("confluent.metadata.server.db.username", "cc_rbac_api");
        properties.put("confluent.metadata.server.db.password", "cc_rbac_api");
        properties.put("listeners", "http://0.0.0.0:" + this.mdsPort);
        properties.put("authentication.method", "BEARER");
        properties.put("token.key.path", createTokenPemFiles.tokenKeyPair);
        properties.put("user.store", "LDAP");
        properties.put("ldap.java.naming.provider.url", "ldap://localhost:" + this.ldapPort + "/dc=example,dc=com");
        properties.put("ldap.refresh.interval.ms", "50");
        properties.put("ldap.java.naming.security.principal", "uid=admin,ou=system");
        properties.put("ldap.java.naming.security.credentials", "secret");
        properties.put("ldap.java.naming.security.authentication", "simple");
        properties.put("ldap.group.name.attribute", "cn");
        properties.put("ldap.group.member.attribute.pattern", "uid=(.*),ou=users,dc=example,dc=com");
        System.out.println(properties);
        runAndCheckCCRbac(new CCRbacConfig(properties), true);
    }

    @Test
    public void testBearerAndNone() {
        KafkaConfigTool.TokenPemFiles createTokenPemFiles = KafkaConfigTool.createTokenPemFiles();
        Properties properties = new Properties();
        properties.put("confluent.security.event.logger.enable", "true");
        properties.put("confluent.security.event.logger.cloudevent.codec", "binary");
        properties.put("confluent.security.event.router.config", "{\"destinations\":{\"bootstrap_servers\":[\"localhost:" + this.kafkaAuditLogPort + "\"],\"topics\":{\"confluent-audit-log-events\":{\"retention_ms\":604800000}}},\"default_topics\":{\"allowed\":\"confluent-audit-log-events\",\"denied\":\"confluent-audit-log-events\"},\"excluded_principals\":[]}");
        properties.put("confluent.security.event.logger.exporter.kafka.security.protocol", "SASL_PLAINTEXT");
        properties.put("confluent.security.event.logger.exporter.kafka.sasl.mechanism", "SCRAM-SHA-256");
        properties.put("confluent.security.event.logger.exporter.kafka.sasl.jaas.config", "org.apache.kafka.common.security.scram.ScramLoginModule required     username=\"mds\"    password=\"mds-secret\";");
        properties.put("confluent.metadata.server.db.url", this.postgresDbTestBed.getDbUrl());
        properties.put("confluent.metadata.server.db.username", "cc_rbac_api");
        properties.put("confluent.metadata.server.db.password", "cc_rbac_api");
        properties.put("listeners", "http://0.0.0.0:" + this.mdsPort);
        properties.put("authentication.method", "BEARER");
        properties.put("token.key.path", createTokenPemFiles.tokenKeyPair);
        properties.put("user.store", "NONE");
        properties.put("jwksLocation", "https://auth-static-devel.confluent-dev.io/jwks");
        properties.put("verificationKeyResolver", "https");
        properties.put("audience", "CONTROL_PLANE,CONNECT");
        System.out.println(properties);
        CCRbac cCRbac = new CCRbac();
        Thread thread = new Thread(() -> {
            try {
                cCRbac.run(new CCRbacConfig(properties));
            } catch (Exception e) {
                System.out.println("ccRbac.run exited");
                System.out.println(e);
            }
        });
        thread.start();
        V2RbacRestApi build = V2RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.mdsPort, "flowserviceadmin");
        Awaitility.given().ignoreException(ConnectException.class).await().atMost(10L, TimeUnit.SECONDS).until(() -> {
            Response execute = build.getRoleNames().execute();
            return Boolean.valueOf(!execute.isSuccessful() && execute.code() == 401);
        });
        cCRbac.close();
        try {
            System.out.println("Waiting for ccRbacThread");
            thread.join(5000L);
        } catch (InterruptedException e) {
        }
        if (thread.isAlive()) {
            System.out.println("Interrupting ccRbacThread");
            thread.interrupt();
        }
    }

    @Test
    public void testCCRbacConfigFile() throws Exception {
        List asList = Arrays.asList("mds", "flowserviceadmin", "alice", "bob", "carol", "dave");
        File createTempFile = File.createTempFile("test-CCRbac-config-file", ".properties");
        createTempFile.deleteOnExit();
        PrintStream printStream = new PrintStream(Files.newOutputStream(createTempFile.toPath(), StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING));
        printStream.println("confluent.security.event.logger.enable=false");
        printStream.println("confluent.metadata.server.db.url=" + this.postgresDbTestBed.getDbUrl());
        printStream.println("confluent.metadata.server.db.username=cc_rbac_api");
        printStream.println("confluent.metadata.server.db.password=cc_rbac_api");
        printStream.println("listeners=http://0.0.0.0:" + this.mdsPort);
        printStream.println("authentication.method=BASIC");
        printStream.println("user.store=FILE");
        printStream.println("user.store.file.path=" + CCRbacInABox.createHashLoginPropFile(asList).getPath());
        printStream.close();
        runAndCheckCCRbac(CCRbacConfig.loadFromFileAndEnvironment(createTempFile.getPath()), false);
    }
}
